Assigning roles to Azure Groups does not reflect on users

• What Grafana version and what operating system are you using?
  v8.5.2

• What are you trying to achieve?
  I’m trying to authenticate & authorize users using Azure Active Directory (AAD).

• How are you trying to achieve it?
  We have some groups that include many users. Instead of assigning roles to individual users, I want to roles to groups, and I want that role assignments to reflect when users of those groups log into Grafana.

• What happened?
  The assigned roles of the groups did not reflect on their members, so I am not able to authenticate/authorize users unless I manually assign roles for them which is a hassle.

• What did you expect to happen?
  I expected that the assigned group roles will reflect on the users/members of those groups.

• Can you copy/paste the configuration(s) that you are having problems with?

#################################### Azure AD OAuth #######################
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = <client-id>
client_secret = <client-secret>
scopes = openid email profile
auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
allowed_domains =
allowed_groups =
role_attribute_strict = true

• Did you follow any online instructions? If so, what is the URL?
  Yes, I basically followed this: Azure AD OAuth2 authentication | Grafana documentation

After some investigations, I found out that the cause of the issue is from Azure AD not Grafana.

image702×301 8.35 KB

As can be seen in this warning message, the role assignments won’t be cascaded to nested groups. Only direct users will get access. I tested access on direct and it works as expected.